CVE-2025-41066

Published: Dec 2, 2025

Modified: Dec 2, 2025

PUBLISHED

Description

Horde Groupware v5.2.22 has a user enumeration vulnerability that allows an unauthenticated attacker to determine the existence of valid accounts on the system. To exploit the vulnerability, an HTTP request must be sent to ‘/imp/attachment.php’ including the parameters ‘id’ and ‘u’. If the specified user exists, the server will return the download of an empty file; if it does not exist, no download will be initiated, which unequivocally reveals the validity of the user.

Vendor	Product	Versions
Horde	Groupware	affected `5.2.22`

Weaknesses (CWE)

CWE-200

References

https://www.incibe.es/en/incibe-cert/notices/aviso/disclosure-sensitive-information-horde-groupware

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-41066

Description

Affected Products

Weaknesses (CWE)

References